The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

There's nothing particularly difficult about cracking a smartphone's four-digit PIN code. All it takes is a pair of thumbs and enough persistence to try all 10,000 combinations. But hackers hoping to save time and avoid arthritis now have a more efficient option: Let a cheap, 3D-printable robot take care of the manual labor.

At the Def Con hacker conference in Las Vegas early next month, security researchers Justin Engler and Paul Vines plan to show off the R2B2, or Robotic Reconfigurable Button Basher, a piece of hardware they built for around $200 that can automatically punch PIN numbers at a rate of about one four-digit guess per second, fast enough to crack a typical Android phone's lock screen in 20 hours or less.

"There's nothing to stop someone from guessing all the possible PINs," says Engler, a security engineer at San Francisco-based security consultancy iSec Partners. "We often hear 'no one would ever do that.' We wanted to eliminate that argument. This was already easy, it had just never been done before."

Engler and Vines built their bot, shown briefly in the video above, from three $10 servomotors, a plastic stylus, an open-source Arduino microcontroller, a collection of plastic parts 3D-printed on their local hackerspace's Makerbot 3D printer, and a five dollar webcam that watches the phone's screen to detect if it's successfully guessed the password. The device can be controlled via USB, connecting to a Mac or Windows PC that runs a simple code-cracking program. The researchers plan to release both the free software and the blueprints for their 3D-printable parts at the time of their Def Con talk.

In addition to their finger-like R2B2, Engler and Vines are also working on another version of their invention that will instead use electrodes attached to a phone's touchscreen, simulating capacitative screen taps with faster electrical signals. That bot, which they're calling the Capacitative Cartesian Coordinate Brute-force Overlay or C3BO, remains a work in progress, Engler says, though he plans to have it ready for Def Con.

Not all PIN-protected devices are susceptible to the R2B2's brute force attack, Engler admits. Apple's iOS, for instance, makes the user wait increasing lengths of time after each incorrect PIN guess. After just a handful of wrong answers, the phone can lock out a would-be hacker for hours before granting access to the PIN pad again.

But every Android phone that Engler and Vines tested was set by default to use a much less stringent safeguard, delaying the user just 30 seconds after every five guesses. At that rate, the robot can still guess five PINs every 35 seconds, or all 10,000 possibilities in 19 hours and 24 minutes.

Given that the robot's software can be programmed to guess PINs in any order the user chooses, it may be able to crack phones far faster than that 20 hour benchmark. One analysis of common PINs showed that more than 26% of users choose one of twenty common PINs. If R2B2 is set to try easily-guessed PINs first, it could crack one in four Android users' phones in less than five minutes, and half of those phones in less than an hour.

But Engler argues that the R2B2 helps to raise attention to the insecurity of crackable four-digit PINs in ways that software tools don't. Even a six-digit PIN, an option on many phones, would take R2B2 as much as 80 days longer to crack than the default four-digit passcode. "When you see a robot working like this, you think, 'maybe I should have a longer PIN,'" says Engler. " If I’m a CEO, a four digit PIN is a problem, because it’s worth 20 hours to break in and get my confidential emails."

Engler and Vines aren't the first to create an automated, physical PIN-cracking tool. Another hacker named JJ Dasher showed off a similar robot earlier in the year that could crack the four-digit PIN of a Garmin Nuvi GPS device, shown in the video below.

But Engler's and Vine's invention is meant to be far more versatile. In addition to cracking phones' lockscreens, Engler says he and Vines plan to keep improving the robot so that it can be adapted to crack the PIN codes used in specific smartphone apps, or even to press the mechanical buttons on non-touchscreen devices like ATMs, hotel safes and combination locks. And in his daily work of auditing clients' security, breaking into a corporate smartphone represents a far more serious threat than accessing the data of any GPS device.

"We used to joke that we'd have to hire an intern to press all these buttons," says Engler. "It turns out it’s much better to get the intern to help make the robot. Then he also has time to get coffee."